Cell phone spoofing: Security risk or just annoying?

Given that we all need to be more security-savvy and learn the behaviors of good cyber hygiene, I try to stay on alert when it comes to email messages and phone calls.

One client told me I have been in the industry too long because I wouldn't open a link he shared until I confirmed he actually intended to send it.

So, I know about email spoofing—that it is used for phishing campaigns—but I didn't realize spoofing also happens on cell phones.

Maybe you, too, have answered the phone to hear a brief moment of pause before a woman explains she was just adjusting her headset. I've received it, a few times even. I've just hung up on her.

In the past few weeks, though, I've gotten a collection of random calls and texts from people who say, "I just missed a call from this number." In fact, I've received three such calls today—all before noon—while I was on the phone with Sprint trying to report the issue.

Mysteriously, the calls that remain in my call log all come from a number that has the same area code and first three numbers of my cell phone number, but the last four digits are all different each time.

When I called Sprint, I was concerned that my account had been hacked, but they, "didn't see any suspicious activity," according to Elena in customer service.

As I sat on hold, being transferred to three different people, I started Googling the issue. There have been chats on reddit, and AT&T reminds its customers to read their privacy guidelines.

I asked if the security practitioners were aware of this issue, but Elena told me she's only had calls from people reporting telemarketing concerns. Naturally, I asked what steps they take to communicate customer concerns about potential security breaches, and she said, "If you call again with this same matter, the next person will be able to see her notes in my account."

But the concern that I'm reporting isn't ever shared among the customer service representatives. And while I was the first person to make Elena aware of these spoofing calls, she has no idea whether anyone else has reported it to other representatives.

Then I was transferred to Sara, a manager, who said she was "unable to report this to the corporate security team because there is a process for security and incident reports."

Oddly, Sara said, "The only time you can reach out to corporate security is if there has been a physical injury, as in an accident or assault, or something of that nature."

Sprint's media relations department responds

That rule apparently applies only to customer service representatives because I did reach out to Sprint's media relations department and received a swift response.

A Sprint representative wrote:

This appears to be spoofing and not a Sprint-specific issue. As the activity is prohibited by the FCC, they provide helpful information on their website which may be of interest to your readers, including how individuals can protect themselves and how to report suspicious calls.

Additionally, Sprint provides a service called Premium Caller ID. In November 2016, we announced an enhancement to that service so that customers can protect themselves from unwanted robocalls and caller ID spoofers. Here is a blog post outlining the details.

The blog post does indeed discuss solutions to spoofing, one of which is that you can "elect to block the number in order to prevent future calls, and may also choose to report the call, which is used to help refine data via crowd-sourcing."

The latter part of this advice was never conveyed in my first three conversations with anyone (including supervisors) in the customer service department. The very word spoofing was never even uttered.

Yet, the blog goes on to claim,

“At Sprint, we strive to provide top-notch customer service, and today, we’re able to protect our customers from unwanted robocalls,” said Mark Yarkosky, Sprint’s director of product management. “Cequint has effectively created an important and needed solution to better providing mobile customers with better privacy and security.”

So, my question remains: Is spoofing a security risk, or is it just annoying?